Mercurial > hg > release > icedtea6-1.9

changeset 2323:3439c902908c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Vulnerability in permissions assigned to applets with multiple JARs 2011-02-13 Andrew John Hughes <ahughes@redhat.com> * NEWS: Updated. 2011-02-11 Omair Majid <omajid@redhat.com> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: (initializeResources()): Only create a SecurityDesc with all permissions when the jar is signed.
author Andrew John Hughes <ahughes@redhat.com>
date Sun, 13 Feb 2011 19:06:09 +0000
parents eaab590dcd87
children 82703ea0d4bc
files ChangeLog NEWS netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
diffstat 3 files changed, 20 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Sun Feb 13 14:34:19 2011 +0000
+++ b/ChangeLog	Sun Feb 13 19:06:09 2011 +0000
@@ -1,3 +1,13 @@
+2011-02-13  Andrew John Hughes  <ahughes@redhat.com>
+
+	* NEWS: Updated.
+
+2011-02-11  Omair Majid  <omajid@redhat.com>
+
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
+	(initializeResources()): Only create a SecurityDesc with
+	all permissions when the jar is signed.
+
 2011-02-10  Andrew John Hughes  <ahughes@redhat.com>
 
 	* Makefile.am: Add additional patch.
--- a/NEWS	Sun Feb 13 14:34:19 2011 +0000
+++ b/NEWS	Sun Feb 13 19:06:09 2011 +0000
@@ -18,6 +18,7 @@
   - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
   - S6985453, CVE-2010-4471: Java2D font-related system property leak
   - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
+  - Vulnerability in permissions assigned to applets with multiple JARs
 
 New in release 1.9.6 (2011-02-09):
 
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Sun Feb 13 14:34:19 2011 +0000
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Sun Feb 13 19:06:09 2011 +0000
@@ -439,9 +439,15 @@
                                     codebase = file.getResources().getMainJAR().getLocation();
                                 }
 
-                                        jarSecurity = new SecurityDesc(file,
-                                                        SecurityDesc.ALL_PERMISSIONS,
-                                                        codebase.getHost());
+                                        if (signing) {
+                                            jarSecurity = new SecurityDesc(file,
+                                                                             SecurityDesc.ALL_PERMISSIONS,
+                                                                             codebase.getHost());
+                                        } else {
+                                            jarSecurity = new SecurityDesc(file,
+                                                                            SecurityDesc.SANDBOX_PERMISSIONS,
+                                                                            codebase.getHost());
+                                        }
                                 }
 
                                 jarLocationSecurityMap.put(location, jarSecurity);